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third  of  four  reports  on  the  Defense  Civilian  Personnel  Data  System  by  the  Office  of 
Inspector  General,  DoD.  We  considered  management  comments  on  a  draft  of  this 
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Report  No.  98-127  April  29, 1998 

(Project  No.  7RE-3006.02) 

Information  Assurance  of  the  Defense  Civilian 
Personnel  Data  System  -  Navy 


Executive  Summary 


Introduction.  This  report  is  the  diird  of  four  reports  in  our  ongoing  review  of  the 
Defense  Civilian  Personnel  Data  System.  The  first  report  discussed  acquisition 
management  controls  for  the  Defense  Civilian  Personnel  Data  System  and  the  second 
report  discussed  the  information  assurance  controls  for  the  overall  system.  The 
Defense  Civilian  Personnel  Data  System  is  an  automated  information  system  that  will 
process  sensitive-but-unclassified  personnel  information  for  209,000  Navy  and  Marine 
Corps  civilian  personnel  records  at  8  regional  personnel  centers  and  approximately 
100  customer  support  units. 

Audit  Objectives.  The  overall  audit  objective  was  to  evaluate  the  adequacy  of 
information  assurance  for  the  Defense  Civilian  Personnel  Data  System  as  it  relates  to 
the  Navy.  Specifically,  we  evaluated  security  planning,  risk  analysis,  and  security 
management.  We  did  not  evaluate  the  security  of  network  aixl  communications 
infrastructure  because  DoD  resources  were  not  available  to  conduct  vulnerability 
assessments.  We  also  reviewed  the  management  control  program  as  it  applied  to  the 
audit  objectives.  Appendix  A  discusses  the  audit  process.  Appendix  B  provides  a 
summary  of  prior  coverage  related  to  the  audit  objectives. 

Audit  Results.  The  Na^  Pacific  Region  and  two  of  its  three  human  resources  offices 
have  made  Defense  Civilian  Personnel  Data  System  information  assurance  a  high 
priority  and  have  computer  security  programs  in  place.  However,  at  the  beginning  of 
the  audit,  its  Human  Resources  Office  Marine  Corps  Base  Hawaii  Kaneohe  Bay  did  not 
have  a  security  program  in  place.  As  a  result  of  the  inadequate  information  assurance 
controls  at  Human  Resources  Office  Marine  Corps  Base  Hawaii  Kaneohe  Bay,  the 
Navy  cannot  ensure  the  confidentiality,  integrity,  and  availability  of  more  thm 
209,(XX)  Navy  and  Marine  Corps  civilian  personnel  records.  See  Part  I  for  the 
complete  discussion  and  Appendix  A  for  details  on  the  management  control  program. 

Corrective  Actions  Taken  or  Hanned.  The  Human  Resources  Office  Marine  Corps 
Base  Hawaii  Kaneohe  Bay  has  taken  corrective  action  during  the  audit  by  developing  a 
security  policy  and  interim  authority  to  operate  and  by  conducting  a  system  security  test 
and  evaluation.  It  has  also  appoint^  key  security  management  positions  and 
established  a  risk  analysis  safeguard  checklist  to  identify  and  de&ie  overall  system 
threats  and  vulnerabilities  for  &e  computers  tiiat  run  the  Defense  Civilian  Personnel 
Data  System,  and  it  has  initiated  ongoing  security  awareness  training  in  accordance 
with  the  Computer  Security  Act  of  1987. 


1 


Summary  of  Recommendations.  We  recommend  that  the  Human  Resources  Office 
Marine  Corps  Base  Hawaii  Kaneohe  Bay  improve  the  adequacy  of  its  Defense  Civilian 
Personnel  Data  System  information  assurance  program  by  completing  an  overall 
security  plan  and  a  contingency  plan. 

Management  Comments.  The  Department  of  the  Navy  concurred  widi  the 
recommendations  and  has  initiated  needed  actions.  See  Part  I  for  a  discussion  of 
management  comments  and  Part  III  for  the  complete  text  of  the  management 
comments. 
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Audit  Background 


Defense  Civilian  Personnel  Data  System.  The  modem  Defense  Civilian 
Personnel  Data  System  (DCPDS)  wUl  provide  a  seamless  autonnted  information 
system  for  civilian  personnel  policy  actions  and  personnel  decisions  during 
peacetime,  contingencies,  and  wartime.  The  modem  DCPDS  will  support 
Military  Elepartments  and  Defense  agencies  worldwide  and  will  be  u^  by 
personnel  officials,  employees,  managers,  and  senior  leadership  at  all  levels  of 
DoD  operations.  The  current  operational  DCPDS  is  an  interim  system  designed 
to  improve  and  enhance  personnel  staffs  during  the  DoD  transition  to  the 
modem  DCPDS.  The  interim  DCPDS,  which  this  report  refers  to  as  DCPDS, 
resides  on  a  mainframe  computer  and  Im  separate  databases  at  Military 
Department  or  Defense  agency  levels  to  support  civilian  personnel  operations. 
The  DCPDS  ^tabases  are  maintained  at  the  Defense  Information  Systems 
Agency  Defense  Megacenter,  located  at  Kelly  Air  Force  Base,  San  Antonio, 
Texas.  The  DCPDS  stores,  processes,  and  transmits  data  for  750,000  personnel 
records,  of  which  209,000  belong  to  the  Navy  and  Marine  Corps  and  are 
subject  to  the  Privacy  Act  of  1974  and  the  Freedom  of  Information  Act.  For 
security  purposes,  die  DCPDS  data  are  labeled  “sensitive-but-unclassified.” 

The  DCPDS  Acquisition  Program  Manager  has  been  delegated  responsibility  for 
the  overall  protection  of  the  DCPDS  information  and  the  computer  resources. 
The  responsibility  for  the  confidentialiQ^,  integrity,  and  availability  of  the 
DCPDS  information  resides  with  all  DoD  organizations  and  persons  who  have 
access  to  toe  records. 

The  Navy  R^ons.  The  modem  DCPDS  will  enable  toe  Military  Departments 
and  toe  Defense  agencies  to  process,  store,  and  transmit  civilian  personnel 
records  on  databases  at  22  regional  service  centers.  Regionalization  of  civilian 
personnel  operations  began  in  FY  1995.  The  Navy  is  consolidating  hundreds  of 
full-service  Navy  and  Marine  Corps  personnel  offices  into  eight  regions  called 
human  resources  service  centers'.  In  October  1996,  toe  Navy  established  toe 
Pacific  Region,  Honolulu,  Hawaii. 

A  region  is  the  repositoty  for  official  personnel  Hies  and  regional  DCPDS 
databases.  A  Navy  region  maintains  a  regional  database  containing  personnel 
records  of  serviced  employees,  and  toe  regional  database  updates  toe  Navy 
DCPDS  database  in  San  Antonio,  Texas.  The  personnel  data  are  transmitted 
using  toe  Internet.  Additionally,  toe  Navy  DCPDS  database  feeds  data  to  other 
DoD  databases;  for  example,  it  feeds  them  to  toe  Defense  Civilian  Payroll 
System  and  toe  Navy  Headquarters  System. 


'Regions  are  called  human  resources  service  centers  by  the  Navy  and  regional  service  centers  by  DoD. 
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A  region’s  mission  is  to  provide  information  manajgement  and  processing 
support  for  position  classification,  personnel  recruitment  and  staffing,  workforce 
development,  employee  benefits  and  services,  and  related  r^rds  inanagement. 
The  Navy  a^  the  Marine  Corps  will  reestablish  the  remaining  portions  of  d^eir 
civilian  personnel  offices  as  independently  operated  human  resources  offices 
(HROs)  focusing  primarily  on  personnel  program  planning  and  oversight,  policy 
analysis  and  development,  and  management  advice  and  consultation  for 
personnel  management  within  their  respective  commands.  Under  &e 
regionalization  concept,  HROs  will  support  a  customer  service  environment  and 
provide  advisory  services.  In  October  1996,  three  HROs  became  operational  in 
the  Pacific  Region  at  the  following  locations: 

•  Pearl  Harbor  Naval  Shipyard,  Hawaii; 

•  Commander  Naval  Base  Pearl  Harbor,  Hawaii;  and 

•  Marine  Corps  Base  Hawaii  Kaneohe  Bay,  Hawaii. 

Safeguarding  Personnel  Data.  DoD  civilian  personnel  data  are  subject  to 
provisions  of  the  Privacy  Act  of  1974  and  the  Freedom  of  Information  Act. 

Tlie  Privacy  Act  of  1974  generally  requires  Federal  age^ies  to  safeguard 
personal  information  from  disclosure  to  any  other  organization  or  iiidividual 
without  the  consent  of  the  individual  to  whom  the  information  pertains.  The 
Privacy  Act  of  1974  also  requires  each  agency  to  account  for  disclosures  of 
information  to  other  organizations  and  individuals.  The  Freedom  of 
Information  Act  requires  agencies  to  make  information  available  to  the  public 
but  excludes  from  tiiat  disclosure  personnel  information  that  would  constitute  an 
invasion  of  privacy.  The  DCPDS  for  the  Navy  must  meet  provisions  of  the 
Privacy  Act  of  1974  to  safeguard  the  personnel  data. 

The  policy  and  procedures  for  safeguarding  sensitive-but-uncl^sified  DoD 
information  are  prescribed  in  DoD  Directive  5200.28,  “Security  Requirements 
for  Automated  Information  Systems  (AISs),”  March  21,  1988.  “Information 
assurance”  and  “computer  security,”  as  u^  in  this  report,  are  intended  to  be 
synonymous.  Please  see  Appendix  C  for  a  glossary  of  terms  used  in  this  report. 


^Support  units  are  called  human  resources  offices  by  the  Navy  and  customer  support  units  by  DoD. 
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Audit  Objectives 


The  overall  audit  objective  was  to  evaluate  the  adequacy  of  information 
assurance  of  DCPDS  for  die  Navy.  Specifically,  we  evaluated  security 
planning,  risk  analysis,  and  security  management.  We  did  not  evaluate  the 
security  of  network  and  communications  infrastructure  because  DoD  resources 
were  not  available  to  conduct  vulnerability  assessments.  We  also  reviewed  the 
adequacy  of  the  DCPDS  management  control  program  as  it  applied  to  the 
overall  audit  objective.  See  Appendix  A  for  a  discussion  of  the  audit  scope  and 
methodology  and  the  review  of  the  management  control  program.  Appendix  B 
provides  a  summary  of  prior  coverage  related  to  the  audit  oQectives. 
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Information  Assurance  Program 

The  Navy  Pacific  Region  and  two  of  its  three  HROs  possess  a  securiQ' 
policy,  security  plan,  contingency  plan,  and  interim  authority  to  operate. 
They  also  conduct  system  security  test  and  evaluations,  risk  analyses, 
and  security  training  and  awareness  programs;  appoint  key  security 
management  positions;  and  have  system  access  controls  a^  physical 
security  controls  in  place.  However,  at  the  beginning  of  the  audit,  its 
HRO  Marine  Coips  Base  Hawaii  Kaneohe  Bay  did  not  have  a  security 
progrm  in  place.  During  the  audit,  the  HRO  Marine  Corps  Base 
Hawaii  Kaneohe  Bay  developed  a  security  policy  and  an  interim 
authority  to  operate,  conducted  a  system  security  test  and  evaluation  and 
a  security  training  and  awareness  program,  appointed  key  security 
management  positions,  and  conducted  a  ri^  analysis  to  identify  and 
de^e  overall  system  threats  and  vulnerabilities  as  required  by  DoD 
Directive  5200.28,  ** Security  Requirements  for  Automated  Ittformation 
Systems  (AISs),”  March  21,  1988.  However,  infon^tion  assurance  for 
the  HRO  Marine  Corps  Base  Hawaii  Kaneohe  Bay  still  needs 
improvement  because  it  does  not  have  an  overall  security  plan  and  a 
contingency  plan. 

Further,  the  DCPDS  functional  and  acquisition  managers  did  not 
coordinate  with  the  Navy  about  their  respective  security  management 
roles  and  responsibilities  for  the  DCPDS  information  assurance  program. 

As  a  result,  without  those  controls,  the  Navy  cannot  ensure  the 
confidentiality,  integrity,  and  availability  of  more  than  209,000  Navy 
and  Marine  Corps  civilian  personnel  records^  that  are  processed  on  the 
DCPDS. 


Requirements  for  Information  Assurance  Controls 

Federal  Guidance.  Office  of  Management  and  Budget  Circular  No.  A-130, 
"Management  of  Federal  Information  Resources,”  February  8,  1997,  recognizes 
the  need  for  special  management  attention  for  security  of  automated  information 
systems  because  of  the  risk  and  magnitude  of  harm  that  could  result  from  the 
loss,  misuse,  or  unauthorized  access  to  or  modification  of  management 
information.  In  addition.  Circular  A-130  requires  agencies  to  recogni^  that,  in 
Federal  Government  information  systems  involving  personal  information,  the 
individual’s  right  to  privacy  must  he  protected. 


^Tbe  Navy  Pacific  Region  maintains  a  database  containing  more  than  9,000  records.  The  database  links 
to  and  updates  the  DCPDS  Navy  database,  which  could  allow  for  possible  access  to  more  than  209,000 
records  if  it  lades  information  assurance  controls. 
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Information  Assurance  Program 


Circular  A- 130  directs  all  Federal  agencies  to  protect  information  commensurate 
with  the  risk  and  magnitude  of  harm  that  would  result  from  the  loss,  misuse,  or 
unauthorized  access  to  or  modification  of  such  information.  Circular  A-130 
requires  agencies  to  incorporate  minimum  controls  for  all  Government 
automated  information  system  security  programs  to  include  the  following: 

Assign  leqwnsibility  for  security  of  each  major  triplication  to  a 
management  official  knowledgeable  in  the  nature  of  the  information 
and  information  process  supported  by  the  application  and  in  the 
management,  personnel,  (^lerational  technical  controls  used  to 
protect  it  This  official  shall  assure  that  effective  security  products  and 
techniques  are  (qipropriately  used  in  the  aiqilication  and  shall  be 
contacted  when  a  security  incident  occurs  concerning  the  application. 

DoD  civilian  personnel  data  are  subject  to  provisions  of  the  Privacy  Act  of 
1974  (the  Privacy  Act).  The  Privacy  Act  generally  requires  Feder^  agencies  to 
safeguard  personal  information  from  disclosure  to  any  other  organization  or 
individual  widiout  the  consent  of  the  individual  to  whom  the  information 
pertains.  The  Mvacy  Act  also  requires  each  agency  to  accoimt  for  disclosures 
of  information  to  other  organizations  and  individuals. 

The  Computer  Security  Act  of  1987  requires  that  Federal  agencies  develop 
computer  security  plans  for  all  Federal  computer  systems  ti^t  contain  sensitive 
information  to  assure  ffieir  integrity,  availability,  or  confidentiality.  Sensitive 
information  as  defined  by  the  Computer  Security  Act  of  1987  is: 

.  .  .  any  information,  the  loss,  misuse,  or  authorized  access  to,  or 
modification  of  which  could  adversely  affect  the  national  interest  or 
the  conduct  of  Federal  programs,  or  ^  privacy  of  which  individuals 
are  entitled .... 

DoD  Security  Requirements.  DoD  Directive  S200.28  incorporates  the 
provisions  of  Circular  A-130  and  provides  mandatory  minimum  automa^ 
information  system  security  requirements  for  systems  that  process  sensitive-but- 
unclassified  i^ormation.  DoD  Directive  5200.28  states  that,  as  a  minimum,  a 
risk  management  program  should  be  in  place  to  determine  how  much  protection 
is  required,  how  much  exists,  and  the  most  economical  way  of  providing  the 
n^ed  protection.  According  to  DoD  Directive  5200.28,  risk  management  is 
the  total  process  of  identifyinjg,  measuring,  and  minimizing  uncertain  events 
affecting  automated  information  system  resources.  It  includes  conducting  a  riric 
analysis,  cost  benefit  analysis,  safeguard  selection  and  implementation,  security 
test  and  evaluation,  and  systems  review.  A  risk  analysis  identifies  threats  and 
vulnerabilities  and  categorizes  the  level  of  risk  associated  with  each. 
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Information  Assurance  Program 


Existing  Controls 

The  Navy  Pacific  Region,  HRO  Pearl  Harbor  Naval  Shipyard,  and  HRO 
Commander  Naval  Base  Pearl  Harbor  have  made  DCPDS  information  assurance 
a  high  priority  and  have  security  prognuiu  in  place.  The  offices  have 
performed  a  computer  security  accreditation  and  conducted  a  risk  analysis  to 
identify  security  risks.  As  of  July  1997,  die  HRO  Petul  Harbor  Naval  Shipyard 
and  HRO  Commander  Naval  Base  Pearl  Harbor  submitted  computer  security 
accreditation  packages  to  the  base  Information  System  Security  Officer  and  are 
waiting  for  the  designated  approving  audiority  to  accredit  the  DCPDS  computer 
resources. 

Specifically,  the  sites  possess  security  policy  and  plans;  have  system  access 
controls  and  physical  security  controls  in  place;  and  have  performed  a  computer 
security  accr^itation,  which  included  the  following: 

•  contingency  plan, 

•  security  test  and  evaluation, 

•  risk  analysis  safeguard  checklist, 

•  security  awareness  training, 

•  appointment  of  key  security  management  positions,  and 

•  interim  authority  to  operate  on  the  local  area  network. 

See  ^pendix  C  for  a  glossary  of  terms. 

Corrective  Action  Taken.  The  HRO  Marine  Corps  Base  Hawaii  Kaneohe  Bay 
has  taken  corrective  action  since  the  start  of  the  audit  by  performing  a  risk 
analysis  safeguard  checldist,  system  security  test  and  evaluation,  computer 
survey,  and  security  policy  for  the  computers  that  run  DCPDS.  The  Marine 
Corps  Base  Hawaii  has  an  interim  authority  to  operate  the  DCPDS  on  the  local 
area  network  not  to  exceed  1  year. 

Also,  the  HRO  Marine  Corps  Base  Hawaii  Kaneohe  Bay  and  the  Marine  Corps 
Base  Hawaii  have  initiated  ongoing  security  awareness  training. 

The  HRO  Marine  Corps  Base  Hawaii  Kaneohe  Bay  and  the  Marine  Corps  Base 
Hawaii  have  completed  appointment  letters  for  key  security  management 
positions.  The  letters  were  awaiting  signature  of  the  base  designated  ^proving 
aufoority. 

Actions  That  Still  Need  To  Be  Taken.  The  HRO  Marine  Corps  Base  Hawaii 
Kaneohe  Bay  still  needs  to  implement  a  security  plan  and  contingency  plan. 
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Information  Assurance  Program 


Security  Plan.  The  Computer  Security  Act  of  1987  requires  computer 
security  plans  to  be  developed  for  all  Federal  computer  systems  that  contain 
sensitive  information  to  ensure  dieir  integrity,  availability,  and  confidentiality. 
The  security  plan  describes  the  strate^  for  implementing  information  assurance 
and  establishes  a  methodology  for  validating  the  security  requirements  identified 
in  the  security  policy. 

Without  an  established  security  plan,  the  HRO  Marine  Corps  Base  Hawaii 
Kaneohe  Bay  has  no  assurance  that  it  has  developed  a  strategy  for  implementing 
information  assurance  controls  and  a  mediodology  for  validating  security 
requirements. 

Contingent  Plan.  DoD  Directive  5200.28  requires  that  contingency 
plans  be  developed  and  tested  to  ensure  that  automated  information  system 
security  controls  function  reliably  and,  if  they  do  not,  that  adequate  backup 
functions  are  in  place  to  ensure  diat  security  fimctions  are  maintained 
continuously  during  interrupted  service.  DoD  Directive  5200.28  also  states  that 
recovery  procedures  must  be  in  place  in  case  data  are  modifled  or  destroyed. 
The  HRO  Marine  Corps  Base  Hawaii  Kaneohe  Bay  did  not  have  a  contingency 
plan.  As  a  result,  the  HRO  Marine  Corps  Base  Hawaii  Kaneohe  Bay  has  no 
assurance  that  it  can  recover  from  a  disaster  or  interruption  of  services. 


Configuration  for  DCPDS 

The  Navy  DCPDS  database  is  networked  to  regional  databases,  which,  in  turn, 
are  linked  to  HROs  at  installations  throughout  the  Navy  and  the  Marine  Corps. 
Users  at  regions  and  HROs  have  a  network  of  personal  computers,  containing 
system  and  application  software,  to  facilitate  data  communication  to  interact 
with  each  other. 

The  region  maintains  application  software  necessary  to  perform  persoimel 
functions  on  Hewlett  Packard  minicomputers.  All  successfully  completed 
personnel  transactions  are  posted  to  a  regional  database,  then  posted  to  update 
the  Navy  DCPDS  database  in  San  Antonio,  Texas.  The  personnel  data  are 
transmitted  across  combinations  of  local  area  networks  using  the  Internet 
Protocol  method.  Most  DoD  organizations  that  use  the  Internet  Protocol 
method  access  the  DCPDS  database  using  the  Not  Classifted  Internet  Protocol 
Router  Network. 

The  personnel  data  are  not  encrypted  when  transmitted  back  and  forth  between 
Navy  regional  databases  and  the  Navy  DCPDS  database  in  Texas,  leaving  the 
data  vulnerable  to  unauthorized  access.  If  unauthorized  access  to  a  computer 
occurs,  all  of  Ae  resident  information  is  at  risk,  and  other  connected  networks 
are  also  in  jeopardy. 
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Information  Assurance  Control  Documentation 

DoD  Directive  5200.28  provides  mandatoiy  minimum  automated  information 
system  security  requirements  for  systems  t^t  process  sensitive-but-unclassified 
information.  Secretary  of  the  Navy  Instruction  5239.2  (Navy  Security 
Program  5239.2),  “Department  of  the  Navy  Autoimted  Information  Systems 
(AIS)  Security  Program,”  November  15,  1989,  which  implements  DoD 
Directive  52()0.28,  requires  that  the  appropriate  designate  approving  authority 
accredit  automated  information  systems,  networks,  and  computer  resources 
based  on  a  certiHcation  and  risk  management  process.  Automated  information 
tystems  not  accr^ited  may  operate  on  a  local  area  network  if  the  designated 
approving  authority  has  issued  an  interim  authority  to  operate  for  a  period  not  to 
exceed  1  year. 

The  HRO  Pearl  Harbor  Naval  Shipyard  and  HRO  Commander  Naval  Base  Pearl 
Harbor,  which  are  base-owned,  co^ucted  a  site  accreditation  of  the  DCPDS 
computer  resources  as  required  by  the  Navy  Security  Program  5239.2.  The 
IffiOs  provided  to  the  base-level  designated  approving  authority  information 
needed  to  determine  whether  the  computers  are  operating  within  an  acceptable 
level  of  risk  to  be  placed  on  the  base  local  area  network. 

The  HROs  submitted  accreditation  packages  to  the  base  Information  System 
Security  Officer,  who  reviewed  the  packages  and  submitted  ttem  for  approval 
to  the  designated  approving  authority.  If  acceptable,  ^  designated  approving 
authority  issues  a  formal  d^laration  that  the  DCPDS  is  approved  to  operate  on 
the  base  local  area  network  because  it  meets  a  prescribed  set  of  security 
standards. 


Responsibilities  for  DCPDS  Information  Assurance 


The  DCPDS  functional  and  acquisition  managers  and  the  Navy  Pacific  Region 
and  its  HROs  all  have  shared  roles  and  responsibilities  in  safeguarding  the 
DCPDS  personnel  data.  The  organizations  must  fiiinil  their  responsibilities  to 
achieve  formation  assurance  for  DCPDS. 

Directorate  of  Personnel  Data  Systems  Responsibilities.  According  to  the 
Air  Force  Personnel  Center  Pamphlet  38-1,  “Organizations  and  Functions,” 
April  14,  1997,  the  Directorate  of  Personnel  Data  Systems  is  responsible  for 
establishing,  directing,  and  managing  communications  and  computer  systems 
security  policy  and  the  procedures  covering  DCPDS  at  all  levels  of  Federal  and 
DoD  organizations. 

Navy  Responsibilities.  As  owner  of  the  personnel  data,  the  Navy  is 
responsible  for  directing,  coordinating,  and  managing  security  policy  and 
procedures  for  Navy  and  Marine  Corps  personnel  offices  using  DCPDS.  The 
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Navy  is  also  responsible  for  coordinating  and  following  up  on  securiQ^  issues 
and  concerns  between  the  Navy  personnel  sites  and  the  Directorate  of  Personnel 
Data  Systems. 

Navy  Pacific  Region  Responsibilities.  The  Navy  Pacific  ^gion  maintains  its 
own  domain  and  is  responsible  for  instituting  its  own  security  protection 
mechanisms  and  procedures  as  well  as  for  implementing  the  minimum  security 
requirements  in  accordaiu;:e  widi  DoD  regulations.  To  meet  minimim  security 
requirements,  the  Navy  Paciflc  Region  must  accredit  its  automated  infoimation 
system.  An  accreditation  is  the  approval  to  operate  in  a  particular  security 
mode  using  prescribed  safeguards.  Part  of  the  accreditation  process  is 
performing  a  risk  analysis  of  system  assets  and  vulnerabilities  to  establish  an 
expected  loss  from  certain  events  based  on  estimated  probabilities  of 
occurrence. 

HRO  Responsibilities.  The  HRO  system  architecture  consists  primarily  of 
desktop  personal  computers  that  processes  sensitive-but-unclassLRed  data.  To 
achieve  appropriate  measures  against  threat  and  vulnerabilities,  each  HRO  is 
responsible  for  conducting  risk  analyses  to  identify  most  risks  and  threats 
associated  with  each  worlatation  that  processes  personnel  data. 


Coordination  With  DoD  Components 

The  DCPDS  functional  and  acquisition  project  managers  did  not  coordinate  with 
the  Navy  in  their  respective  security  management  roles  and  responsibilities  for 
the  DCPDS  information  assurance  program.  Specifically,  the  Directorate  of 
Personnel  Data  Systems,  Air  Force  Personnel  Center,  does  not  have  an  adequate 
program  in  place  to  coordinate  and  communicate  with  DoD  Components  about 
their  respective  security  management  roles  and  responsibilities  for  the  DCPDS 
information  assurance  program.  The  Directorate  of  Personnel  Data  Systems 
also  has  not  ensured  that  DCPDS  uses  the  effe(^ve  security  products  and 
techniques  required  by  Circular  A-130.  The  Directorate  of  Personnel  Data 
Systems  has  not  provided  guidance  to  DoD  Components  on  safeguards  and  has 
not  followed  up  to  ensure  that  the  DoD  Components  have  implemented 
corrective  actions  to  guidance. 

The  Directorate  of  Personnel  Data  Systems  issued  guidelines  to  DoD 
Component  project  managers  for  DCPDS  sites  to  conq>lete  an  operational 
certifrcation  in  the  memorandum,  ‘‘Operational  Certification-Regional  Service 
Centers/Risk  Analysis  Status,”  January  13,  1997  (Operational  Certification 
Memorandum). 

The  Operational  Certification  Memorandum  states  that  the  operational 
certification  process  is  an  integral  part  of  ensuring  system  inte^ty  and  risk 
analysis  continuity,  and  that  the  DCPDS  security  process  requires  a  risk  analysis 
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or  an  update  of  the  current  one.  Checklists  for  operational  certification  and  risk 
analysis  were  included  as  attachments  to  the  Operational  Certification 
Memorandum. 

The  Directorate  of  Personnel  Data  Systems  did  not  set  milestone  dates  for  the 
completion  of  fhe  operational  certification  and  risk  analysis.  The  Operational 
Certification  Memorandum  guidance  was  not  coordinate  with  and  followed  up 
by  ^  Navy  Pacific  Region  or  its  HROs.  The  Directorate  of  Personnel  Data 
Systems  does  not  have  a  method  in  place  to  determme  when  and  whether  sites 
have  completed  the  operational  certitication. 

Coordination  of  DCPDS  securiQ'  issues  is  important  to  provide  consistency 
among  all  DoD  Components  operating  DCPDS.  The  lack  of  coordination  is 
causing  DoD  Components  to  t^e  their  own  approaches  to  security;  that  is,  they 
are  independently  developing  their  own  measures  to  deal  with  DCPDS 
vulnerabilities. 

Corrective  Action  Taken.  Since  the  audit  started,  a  coordinated  DCPDS 
policy  and  security  support  plan  was  published.  The  plan  defines  the  respective 
security  management  roles  and  responsibilities  for  DCPDS. 

Corrective  Action  Being  Taken.  Civilian  Personnel  Management  Service,  in 
conjunction  with  the  Central  Design  Activity  security  staff,  is  developing  a 
System  Security  Annex  to  the  DCPDS  Training  Support  Plan.  The  Annex  will 
be  provided  to  DoD  Components  to  plan,  develop,  and  execute  training 
strategies  for  functional  and  technical  personnel  involved  in  the  operations  of 
the  DCPDS.  The  Annex  will  also  contain  the  knowledge,  skills,  abilities,  and 
training  requirements  for  network  security  officers  and  users  at  all  operational 
levels.  The  System  Security  Annex  was  scheduled  to  be  convicted  by  April  30, 
1998. 


Conclusion 

The  Navy  Pacific  Region,  HRO  Pearl  Harbor  Naval  Shqiyard,  and  HRO 
Commander  Naval  Base  Pearl  Harbor  have  made  DCPDS  information  assurance 
a  high  priority  and  have  security  programs  in  place.  The  HRO  Marine  Co^s 
Base  Hawaii  Kaneohe  Bay  took  corrective  action  during  the  audit  by  initiating  a 
DCPDS  security  program. 

The  Directorate  of  Personnel  Data  Systems  developed  and  provided  guidance 
for  the  security  of  DCPDS  to  DoD  Component  project  managers.  The  guidance 
emphasized  the  priority  and  importance  of  effective  risk  management  and 
security  safegua^;  however,  it  did  not  establish  milestone  dates  for  completion 
or  follow-up  to  determine  the  status  of  stras  performed.  The  Directorate  of 
Personnel  Data  Systems  should  improve  its  communication  and  coordination  of 
guidance  issued  to  ensure  the  confidentiality,  integrity,  and  availability  of  Navy 
and  Marine  Corps  civilian  personnel  records  on  DCPDS. 
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Management  Comments  on  the  Finding  and  Audit  Response 

The  Navy  concurred  with  the  finding.  Although  not  required  to  comment,  the 
Civilian  Personnel  Management  Service  provided  suggestions  on  the  finding, 
and  we  made  revisions  in  consideration  of  management  comments.  The  full  text 
of  the  comments  is  in  Part  m. 


Recommendations  and  Management  Comments 

We  recommend  that  the  Director,  Human  Resources  Office  Marine  Corps 
Base  Hawaii  Kaneohe  Bay: 

1.  Complete  an  overall  security  plan  for  the  Defense  Civilian 
Personnel  Data  System. 

2.  Complete  a  contingent^  plan  for  the  Defense  Civilian  Personnel 
Data  System. 

Man^ement  Comments.  The  Department  of  die  Navy  concurred  and  is 
working  with  the  base  to  develop  a  security  plan  and  a  contingency  plan,  which 
will  ensure  the  integrity  of  the  computer  systems  used  to  hold  personnel  data 
and  will  include  backup  security  controls  and  data  recovery  systems, 
respectively. 
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Appendix  A.  Audit  Process 


Scope  and  Methodology 

Scope.  We  judgmentally  selected  three  Navy  locations  and  one  Marine  location 
to  evaluate  tte  adequacy  of  information  assurance  for  DCPDS. 

Methodology.  We  conducted  on-site  reviews  of  information  assurance  policies, 
procedures,  and  practices.  We  reviewed  the  information  planning  documents 
such  as  security  policy,  security  plans,  risk  analyses,  contingency  plans,  and 
security  test  anl  evaluations  dat^  from  November  1989  through  November 
1997.  We  determined  whether  system  access  controls,  physicd  security,  and 
security  training  and  awareness  programs  were  develop^  and  implemented. 

We  reviewed  user,  system,  and  network  administrator  security  practices.  We 
identifred  and  interviewed  key  security  personnel  such  as  the  Imbrmation 
Systems  Security  Manager,  Information  Systems  Security  Officer,  System 
Administrator,  and  DCPDS  managers.  We  conducted  interviews  to  determine 
the  level  of  training  provided  for  DCPDS  information  assurance. 

Scope  Limitations.  We  did  not  evaluate  the  security  of  network  and 
communications  infrastructure  because  DoD  resources  were  not  available  to 
conduct  vul^rability  assessments. 

Use  of  Computer-Processed  Data.  We  did  not  use  computer-processed  data  or 
statistical  sampling  procedures  to  evaluate  the  adequacy  of  the  DCPDS 
information  assurance. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD.  Further  details  are  available  upon  request. 

Audit  Period  and  Standards,  and  Locations.  We  performed  this  program 
audit  from  June  through  December  1997  in  accordance  with  auditing  standards 
issued  by  the  Comptroller  General  of  the  United  States,  as  implemented  by  the 
Inspector  General,  DoD.  Accordingly,  we  included  tests  of  management 
controls  considered  necessary. 
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Management  Control  Program  Review 

DoD  Directive  5010.38,  “Management  Control  (MC)  Program,”  August  26, 
1996,  requires  DoD  organizations  to  implement  a  comprehensive  system  of 
management  controls  that  provides  reasonable  assurance  (hat  programs  are 
operating  as  intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review  of  the  Management  Control  Program.  We  reviewed  the 
adequacy  of  Navy  management  controls  as  they  relate  to  the  DCPDS 
information  assurance  program.  Specifically,  we  reviewed  controls  for  security 
planning,  risk  analysis,  and  security  management  for  DCPDS.  We  also 
reviewed  management’s  self-evaluation  for  those  controls. 

Adequacy  of  Management  Controls.  We  identified  a  material  management 
control  weakness  for  the  Navy,  as  defined  by  DoD  Directive  5010.38.  The 
controls  in  place  for  information  assurance  were  not  adequate  to  ensure  the 
confidentiality,  integrity,  and  availability  of  the  DCPDS  data.  The 
recommendations  in  this  rqtort,  if  implemented,  will  improve  the  controls  for 
protecting  DCPDS  data.  A  copy  of  this  report  will  be  provided  to  the  senior 
official  responsible  for  management  controls  at  the  Navy. 

Adequacy  of  Management's  Sdf-Evaluation.  The  Navy  management 
identified  personnel  ofilces  as  assessable  units;  however,  information  assurance 
was  not  addressed  for  DCPDS  and,  therefore,  was  not  identified  or  reported  as 
a  material  weakness. 
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General  Accounting  Office 

GAO  Report  No.  AIMD-96-144  (OSD  Case  No.  1213),  "DoD  General 
Computer  Controls:  Critical  Ne^  to  Greatly  StrengAen  Computer 
Security  Program,**  September  30,  IS^.  The  report  discusses  the  General 
Accounting  C^ce  evaluation  of  the  general  computer  controls  at  several  large 
Navy  and  Marine  Corps  computer  installations  and  at  selected  Defense 
Information  Systems  Agency  Defense  Megacenters.  The  report  notes  security 
weaknesses  that  would  allow  hackers  and  legitimate  users  to  improperly  access, 
modify,  or  destroy  sensitive  DoD  data.  The  report  recoimnended  a  centralized 
security  mana^ment  program  with  defined  responsibilities,  periodic  reviews, 
and  monitoring  and  reporting  of  improvement  actions.  DoD  management 
concurred  with  all  findings  and  recommendations. 

GAO  Report  No.  AlMD-96-84  (OSD  Case  No.  1150),  ^^Information 
Security:  Computer  Attacks  at  Department  of  Defense  Pose  Increasing 
Risks,**  May  22,  1996.  The  report  discusses  the  General  Accounting  Office 
review  of  the  extent  to  which  DoD  computers  are  being  attacked,  the  potential 
for  damage,  and  the  challenges  faced  in  responding  to  die  attacks.  The  General 
Accounting  Office  noted  that  attacks  are  increasing  and  damaging  and  are  a 
threat  to  national  security.  The  General  Accounting  Office  concluded  that 
policies  are  out-of-date  and  inconsistent  and  that  many  users  are  not  aware  of 
the  magnitude  of  the  problem.  Tte  report  recommei^ed  that  the  Secretary  of 
Defense  stren^en  the  DoD  information  systems  security  program  by 
improving  policies  and  procedures,  increasing  user  awareness,  setting  standards, 
monitoring  security,  and  establishing  responsibility  and  accoimtabilify.  DoD 
management  agreed  with  the  report’s  fillings  and  recommendations. 


Office  of  the  Inspector  General,  DoD 

Report  No.  98-082,  ^^Information  Assurance  of  the  Defense  Civilian 
Personnel  Data  System,**  February  23,  1998.  The  audit  objective  was  to 
determine  the  adequacy  of  the  information  assurance  program  for  major 
automated  information  systems,  specifically  to  evaluate  DCPDS  security 
planning,  risk  analysis,  and  security  manajgement.  The  report  concludes  that  the 
DCPDS  information  assurance  program  did  not  have  adequate  controls  in  place 
to  safegu^  DCPDS  data  and  resources.  As  a  result,  DCPDS  has  high  risks  for 
unauthorized  ^stem  access,  intentional  and  unintentional  alteration  and 
destruction  of  data,  and  denial  of  service  to  authorized  users.  The  rqport 
recommended  strengthened  oversight  and  management  of  DCPDS  information 
assurance.  Also,  the  report  recommended  the  establishment  of  information 
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assurance  functional  requirements  and  the  implementation  of  information 
assurance  measures  to  protect  DoD  civilian  personnel  data.  The  Director, 
Civilian  Personnel  Management  Service,  stated  that,  by  acquiring  C-2  compliant 
system  hardware  and  software,  no  perceivable  threats  would  be  in  the  DCPDS 
processing  environment  that  must  countered  by  system  design.  In  addition, 
the  Director  stat^  t^t  a  computer  security  response  team,  te];>resenting  the 
Major  Automated  Information  Systems  Review  Council,  identified  risks  to 
DCPDS  through  a  facilitated  risk  assessment  program,  and  the  acquisition 
program  manager  is  developing  an  action  plan  to  mitigate  program  risks.  The 
Director  nonconcurred  wiA  a  draft  recommendation  to  revise  the  operational 
requirements  document  to  include  validated  threat  irtformation  and  also 
imnconcurral  with  the  threat  requirements  and  funding  to  protect  die  DoD 
civilian  data.  The  Director  stated  that  the  facilitated  risk  analysis  provided  a 
comprehensive  list  of  direats  and  is  a  more  appropriate  amlysis  for  the  DCPDS. 
The  Director  also  stated  that  he  does  not  recognize  coordination  with  the 
acquisition  program  manager  as  a  problem  and  that  there  are  no  funding 
deHciencies  for  protecting  DoD  civilian  personnel  data.  The  Director  agreed 
with  the  recommendation  to  coordinate  and  approve  a  certification  and 
accreditation  plan  to  protect  the  DCPDS  and  conimented  that  his  office  is 
determining  which  organizational  component  will  serve  as  the  operating  DCPDS 
designated  approving  authority.  Air  Force  management  and  die  Assistant 
Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
management  agreed  with  the  report’s  findings  and  recommendations. 

Report  No.  98-024,  ‘‘Security  Controls  Over  Systems  Serving  the  DoD 
Personnei  Security  Program,”  November  19, 19S17.  The  audit  objective  was 
to  evaluate  security  controls  over  the  computer  system  serving  the  DoD 
personnel  securi^  program,  which  the  Defense  Investigative  Service 
administers.  The  report  states  that  the  Defense  Investigative  Service  did  not 
have  adequate  controls  to  protect  personnel  security  systems  and  data  from 
compromise.  Therefore,  die  Defense  Investigative  Service  cannot  ensure  that 
unauthorired  individuals  can  be  prevented  from  access!^,  modifying,  or 
destroying  the  highly  sensitive  DoD  personnel  security  iidom^tion  that  it 
administers.  The  report  recommended  the  Defense  Investigative  Service  to 
communicate  specific  security  requirements,  modify  Memorandums  of 
Agreement  and  contracts  to  include  system  security,  develop  and  implement 
access  control  policies,  isolate  critical  resources  in  the  system  architecture,  and 
inqirove  physical  security.  The  Defense  Investigative  Service  management 
agreed  with  all  recommendations  and  had  initiated  actions  to  in^rove  systems 
security  and  the  ^sterns  architecture. 

Report  No.  PO  97-049,  “DoD  Management  of  Information  Assurance 
EDbits  to  Protect  Automated  Information  Systems,”  September  25, 

1997.  The  audit  objective  was  to  determine  the  effectiveness  of  DoD 
management  of  information  assurance  efforts  to  protect  automated  information 
systems.  The  report  concludes  that  the  securify  safeguards  and  practices  that 
protect  DoD  automated  information  systems  need  improvement.  Inefficient  and 
ineffective  implementation  of  the  Defense-wide  Information  Systems  Security 
Program,  outdated  policies  and  procedures,  inadequate  direction  and  oversight, 
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and  lack  of  accountability  for  information  systems  security  management  controls 
contributed  to  the  inadequate  security  safeguards.  The  report  reconunended 
developing  procedures  to  determine  the  Defense  information  infrastructure’s 
security  posture,  developing  an  information  assurance  strategic  plan,  and 
incorporating  accountability  r^uirements  for  personnel  responsible  for 
safeguarding  DoD  automat^  imormation  systems.  The  Acting  Assistant 
Secretary  of  Defense  (Command,  Control,  Communications  and  Intelligence) 
generally  concurred  with  the  finding  and  recommendations  and,  in  coordination 
with  the  Services,  Joint  Staff,  and  Defense  agencies,  was  establishing  an 
integrated  management  process  to  extend  DoD  oversi^t  of  information 
assurance  programs  and  activities  to  all  DoD  Components. 


Air  Force  Audit  Agency 

Project  No.  96054027,  **Data  Communications  Security/’  AprU  15, 

1997.  The  audit  objective  was  to  determine  whether  the  Air  Force  adequately 
protects  sensitive-but-unclassified  information  transmitted  over  the  Air  Force 
Internet.  The  report  concludes  that  Air  Force  systems  continue  to  transmit 
sensitive-but-unclassified  information  unprotect^  over  the  Air  Force  Internet 
because  the  Air  Force  system  managers  ^d  not  conducted  a  risk  analysis. 

Users  and  system  manajgers  of  5  of  the  11  systems  examined  were  not  aware  of 
the  increased  risk  of  using  the  Air  Force  Internet  or  of  the  sensitive  nature  of 
the  information.  The  Air  Force  Audit  Agency  recommended  a  risk  analysis  for 
each  system  to  identi^  the  current  risks  of  transmitting  sensitive-but- 
unclassiried  information  over  the  Air  Force  Internet,  as  well  as  to  emphasize 
protection  requirements  to  tbe  designated  approval  authorities.  Air  Force 
management  officials  agreed  with  &e  overril  audit  results  and  planned 
responsive  actions. 

Project  No.  93058001,  **Review  of  Personnel  Concept  m  System  Security 
and  Equipment  Management,”  April  3, 1995.  The  audit  objective  was  to 
determine  whedier  selected  security  and  control  procedures  were  properly 
implemented  in  the  Personnel  Concept  III  computer  system.  The  report 
concludes  that  the  Air  Force  did  not  implement  adequate  security  access 
protection  for  the  tystem  and  did  not  properly  account  for  computer  equipment. 
The  Air  Force  Audit  Agency  recommended  implementing  separation  of  duty 
requirements,  maintaining  consolidated  accreditation  databases,  identifying 
system  threats  and  areas  requiring  additional  protection,  and  implementing 
proper  control  and  authorization  of  passwords.  Air  Force  management  officials 
agr^  widi  the  overall  audit  results  and  planned  responsive  actions. 
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Other  Related  Coverage 

Defense  Science  Board  Task  Force,  "Information  Warfare-Defense 
(IW-D),”  November  21, 1996.  The  task  force  was  established  to  study  the 
protection  of  information  interests  of  national  importance  through  a  credible 
information  warfare  defensive  capability.  The  report  concludes  dut  action  is 
needed  to  defend  against  possible  information  warfare  attacks  against  DoD 
systems  that  could  inq>act  the  abilitjr  of  DoD  to  carry  out  its  responsibilities. 

task  force  reconunended  SO  actions  ranging  from  identifying  a  focal  point 
widiin  DoD  for  Information  Warfare  activities  to  allocating  approximately 
^  billion  over  the  next  5  years  to  implement  recommendations. 

Joint  Security  Commission,  "Redefining  Security*”  February  28, 

1994.  The  Joint  Securify  Commission  report  addresses  the  processes  used  to 
formulate  and  implement  security  policies  in  DoD  and  the  intelligence 
community.  The  Joint  Security  Commission  report  concluded  that  the  clearance 
process  was  needlessly  complex,  cmnbersome,  and  costly.  The  Joint  Security 
Commission  report  made  recommendations  to  create  a  new  policy  structure, 
enhance  securify,  and  lower  cost  by  avoiding  duplication  and  increasing 
efficiency. 
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Federal  and  DoD  organizations  have  published  numerous  definitions  for  terms 
to  describe  conditions,  events,  and  key  officials  involved  with  safeguarding 
automated  information  systems.  We  primarily  used  definitions  from  DoD 
Directive  5200.28,  "Security  Requirements  for  Automated  Information  Systems 
(AISs),”  March  21,  1988  (DoD  Directive  5200.28),  and  definitions  from  other 
guidance  authorized  by  that  Directive. 

Accreditation.  Accreditation  is  the  formal  declaration  by  a  designated 
approving  authority  that  a  system  is  approved  to  operate  in  a  particu^  security 
m^e  using  a  prescribed  set  of  safeguanls  at  an  acc^table  level  of  risk. 
Accreditation  is  the  official  management  authori^tion  for  operation  of  an 
information  system  and  is  based  on  the  certification  process  as  well  as  other 
management  considerations.  The  accreditation  statement  affixes  security 
responsibility  with  the  designated  approving  authority  and  shows  that  due  care 
has  been  taken  for  security.  (DoD  ^ective  5200.28) 

Certification.  Certification  is  the  technical  evaluation  of  an  automated 
information  system’s  security  features  and  other  safeguards,  made  in  support  of 
the  accreditation  process,  which  establishes  the  extent  that  a  particular 
automated  information  system’s  design  and  implementation  meet  a  set  of 
specified  security  requirements.  (DoD  Directive  5200.28) 

Contingency  Planning.  Contingency  plans  are  required  to  be  developed  and 
tested  in  accordance  with  Circular  A-130  to  ensure  that  automated  information 
system  security  controls  function  reliably  and,  if  not,  that  adequate  backup 
functions  are  in  place  to  ensure  that  security  fimctions  are  maintained 
continuously  during  interrupted  service.  If  data  are  modified  or  destroyed, 
procedures  must  be  in  place  to  recover.  (DoD  Directive  5200.28) 

Interim  Authority  to  Operate.  The  appropriate  designated  approving 
authority  will  accredit  automated  information  systems,  networks,  and  coiiq)uter 
resources  based  on  a  certification  and  risk  management  process.  Automat^ 
information  systems  not  accredited  may  operate  if  the  appropriate  desisted 
approving  autlmrity  has  issued  an  interim  authority  to  operate  for  a  period  not  to 
exceed  1  year.  (Secretary  of  the  Navy  Ins^ction  5239.2,  **Department  of 
the  Navy  Automated  Information  Systems  (AIS)  Security  Program,  ” 

November  15, 1989) 

Risk  Analysis.  A  risk  analysis  is  an  analysis  of  system  assets  and 
vulnerabilities  to  establish  an  expected  loss  from  certain  events  based  on 
estimated  probabilities  of  occurrence.  (DoD  Directive  5200.28) 

Security  Awareness  Training.  Mandatory  periodic  security  awareness  training 
is  requii^  for  aU  persons  involved  in  management,  use,  or  operation  of  Fedend 
computer  systems  that  contain  sensitive  information.  (Computer  Security  Act 
of  1987,  Public  Law  100-235) 
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Security  Test  and  Eyaluation.  Systems  shall  be  subject^  to  a  site  and  system 
speciHc  security  test  and  evaluation  to  ensure  that  the  enviroimental  and 
operational  security  requirements  have  been  met.  When  feasible,  security  test 
and  evaluation  should  be  conducted  by  a  third  party  approved  by  the  designated 
approving  authority.  (Secretary  of  Ae  Navy  Instruction  5239.2) 

Threat.  A  threat  is  any  circumstance  or  event  with  the  potential  to  cause  harm 
to  an  information  system  in  the  form  of  destruction,  disclosure,  adverse 
modification  of  data,  or  denial  of  service.  (National  Security 
Telecommunications  and  Information  Systems  Security  Instruction  No.  4009) 

Vulnerability.  Vulnerability  is  weakness  in  an  information  system  or  its 
components  (system  security  procedures,  hardware  design,  management 
controls)  that  could  be  exploited.  (National  Security  Telecommunications  and 
Information  Systems  Security  Instruction  No.  4009) 


Key  Officials 

DoD  Directive  5200.28  derines  the  responsibilities  of  key  officials  that  affect 
automated  information  systems  security. 

Designated  Approving  Authority.  The  designated  approving  authority  is  the 
official  who  Im  the  authority  to  decide  whether  to  accept  the  security 
safeguards  prescribed  for  an  automated  information  system  or  the  official  who 
may  be  responsible  for  issuing  an  accreditation  statement  that  records  the 
decision  to  accept  those  safeguards.  The  designated  approving  authority  must 
be  at  an  organizational  level,  have  authority  to  evaluate  the  overall  mission 
requirements  of  the  automat^  information  system,  and  provide  definitive 
directions  to  automated  information  system  developers  or  owners  relative  to  the 
risk  in  the  security  posture  of  the  automated  information  system.  (DoD 
Directive  5200.28) 

Information  Systems  Security  Manager.  The  information  systems  security 
manager  is  responsible  for  planning,  directing,  and  implementing  the 
information  security  program.  The  information  systems  security  manager  is 
administratively  and  operationally  responsible  for  the  computer  system. 
Generally,  each  organization  has  one  information  systems  security  manager. 
(Peari  Harbor  Naval  Shipyard  Computer  Security  Handbook,  1996) 

Information  System  Security  Officer.  The  information  system  security  officer 
is  responsible  to  the  designated  approving  authority  for  ensuring  that  security  is 
provided  for  and  implemented.  Specificity,  the  iitbmiation  system  security 
officer  is  to: 

•  maintain  a  plan  for  system  security  improvements  and  progress  towards  meeting 
the  accreditation. 
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•  evaluate  known  vulnerabilities  to  ascertain  whether  additional  safeguards  are 
needed,  and 

•  ensure  that  audit  trails  are  reviewed  periodically.  (DoD  Directive  5200.28) 

Terminal  Area  Securi^  Officer.  Terminal  area  security  officers  are  appointed 
for  computer  systems  with  remote  terminal  access.  The  terminal  area  security 
officer  provides  security  support  to  the  information  system  set^ty  officer,  and 
reports  any  problems  or  security  compromises  to  the  information  system 
security  officer.  Terminal  area  security  officers  may  also  be  assigned  as  an 
^assistant  information  system  security  officer”  in  areas  where  the  number  of 
systems  exceeds  the  ability  of  one  information  system  security  officer  to 
effectively  administer  security  requirements.  (Peaii  Harifor  Naval  Shipyard 
Computer  Security  Handbook,  1996) 
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Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acq[uisition  and  Technology 
Director,  Defense  Logistics  Studies  Information  Exchange 
Under  Secretary  of  Defense  (Conq>troller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (CominaDd,  Control,  Communications,  Intelligence) 
Under  Secretary  of  Defense  for  Personnel  and  Readiness 

Deputy  Assistant  Secretary  of  Defense  (Civilian  Personnel  Policy) 

Director,  Civilian  Personnel  Management  Service 
Assistant  Secretary  of  Defense  (Public  Affairs) 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 

Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 

Auditor  General,  Department  of  the  Navy 

Director,  Human  Resources  Operations  Center,  Information  Technology 
Director,  Human  Resources  Service  Center,  Pacific  Region 

Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 
Commander,  Air  Force  Personnel  Center 

Technical  Director,  Directorate  of  Personnel  Data  Systems,  Air  Force  Personnel 
Center 


Marine  Corps 

Director,  Civilian  Human  Resources  Office-West 

Director,  Human  Resources  Office  Marine  Corps  Base  Hawaii  Kaneohe  Bay 
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Other  Defense  Organizations 

Director,  Defense  Contract  Audit  Agency 
Director,  Defense  Information  Systems  Agency 
Director,  Defense  Ijogistics  Agency 
Director,  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Inspector  General,  Defense  Intelligence  Agency 


Non-Defense  Federal  Organizations  and  Individuals 

Office  of  Management  and  Budget 

Technical  Information  Center,  National  Security  and  International  Affairs  Division, 
General  Accounting  Office 

Chairman  and  ranking  minority  member  of  each  of  tiie  following  congressional 
committees  and  subconunittees: 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Conunittee  on  Armed  Services 
Senate  Conunittee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  National  Security,  Committee  on  Appropriations 
House  Conunittee  on  Governmental  Reform  and  Oversight 
House  Subconunittee  on  Government  Management,  Information,  and  Technology, 
Conunittee  on  Government  Reform  and  Oversight 
House  Subcommittee  on  National  Security,  International  Affairs,  and  Criminal 
Justice,  Conunittee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 
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Department  of  the  Navy  Comments 


THE  ASSISTANT  SECNCTARY  OF  THE  NAVY 

iMANPOWm  AND  msCMVI  AFFAIMAl 
WAVHIMArON.  D.C.  «09«0-tOQO 


WR  13  BOB 


KmOBAIIDUC  rOR  OIRSCTOR,  ACQOXBXTIOII  NAlUaSMIlIT  DXRBCTORATB, 
OlPARmENT  or  DSFEHSB  XUSRICTOR  GBMRRAL 

SUBJECT!  Audit  Rsport  on  inforsAtlon  Assursnos  of  tho  Dofonss 
Civilian  Pwroonnol  Data  Syatas  -  Ravy  (Rrojact  No. 
7RX-3006.02) 

Attaohsant  X  vaa  transaittad  to  tha  Oiraotor  of  Civilian 
Paraonnal  PrograM,  Baadquartara,  tinitad  Stataa  Marina  Corpa, 
Tor  raviav  and  ooananta. 


Tha  Dapartnant  of  tba  Navy  concura  in  tha  ra^rt  finding 
raconaandationa.  Datailad  oonaanta  ara  CMi^inad  in 


and 

Attaohaant  3. 


BERNARD  ROSTKER 

Attachaanta  s 

1.  DoDIG  Draft  of  A  Propoaad  Audit  Raportx  Xnforaation  Aaauranoa 
of  tha  Pafanaa  Civilian  Paraonnal  Data  Syataa  -  Navy  (Projact 
No.  7RE*3006.02  of  ratoruary  6,  X99B) 
a.  Oapartaant  of  tha  Navy  oonaanta 

Copy  to: 

PHO-31 

MAVXKSGBN(03) 


*Omitted  because  Attachment  1  is  a  copy  of  the  draft  report. 
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D«p«rtMnt  ot  thm  H«vy  Commmntm 
on 

DODZG  Draft  Audit  Itaport 
on 

Znfonation  Asouranco  of  tlio  Dofanao  civilian 
Paraonnal  Data  fyataa 
Frojaot  #7llB-i00<«02 

Yiadiagt  Tha  Navy  Pacific  Ragion  and  tvo  of  ita  thraa  hunan 
raaoureaa  officaa  hava  aada  Dafanaa  Civilian  Paraonnal  Data 
Systaa  inforuation  aaauranca  a  high  priority  and  hava  eoaputar 
aacurlty  prograaa  in  placa*  Hovavar,  infomation  aaauranca  for 
ita  Buaan  Raaoureaa  Office^  Marina  corpa  Baaa  Ha%rali^  Kanaoha  Bay 
atm  naad  iaprovanant  bacauaa  it  doaa  not  hava  an  ovarall 
aaouril^  plan  and  contingancy  plan* 

BOV  Baplyt  Concur. 

RaooMiaBdatioa:  ”Wa  racoaoMnd  that  tha  Diraotor,  Buaan  Raaoureaa 
Offioa  Marina  Corpa  Baaa  Bavaii  Kanaoha  Bay  ooaqplata  an  ovarall 
aacurlty  plan  for  tha  Dafanaa  Civilian  Paraonnal  Data  Syatan.** 

BOM  Raply:  Concur.  A  aacurity  plan  ia  baing  davalopad  at 
Kanaoha  Bay  vhich  will  anaura  tha  integrity  of  tha  eoaputar 
ayataaa  uaad  to  hold  paraonnal  data. 

RaeoMBandatioa:  "ira  raooaaand  that  tha  Diractor,  Buaan  Raaoureaa 
Office  Marina  Corpa  Baaa  Hawaii  Kanaoha  Bay  ooaplata  a 
contingancy  plan  for  tha  Dafanaa  Civilian  Paraonnal  Data  Syatan.* 

BOV  Reply:  Concur.  HRO  Kanaoha  Bay  ia  vorhing  with  tha  baaa 
Coaaunication  Infomation  Byatana  Dapartnant  to  davalop  a 
contingancy  plan  which  will  Includa  bacAuqp  aacurity  controls  and 
data  racovary  ayataaa. 


Attaohnant  3 


Civilian  Personnel  Management  Service 
Comments 


OKPARTMCNT  OV  DCrCNSt 
dViUAN  ^IMOHNU.  MANAOKMINT  MKVICB 
1400  KtY  OOUUCVARD 
AMJNOrrON,  VA  SSaOO-0144 


MEMC^UNDUM  FOR  DIRECTOR.  ACQUISITION  MANAGEMENT 

DIRECTORATB,  MPARTMENT  OF  DEFENSE 
INSPECTOR  GENERAL 


SUBJECT:  PiopoMd  Audit  Report  on  InformaUoo  Atiutonce  for  the  Defeiise  Civ^ 
Petsoond  DdA  System  -  Novy  (Project  No.  7R£-3(X)6.02) 


This  mesioraxidum  coimitutes  the  fonctiood  p(oponeot*i  leepoQie  to  tbe  PropoMd  Audit 

Report  on  lofonnttkm  Assurtnoe  for  the  Defense  CivilUa  PerMiuiel  Deu  System  -  Navy,  dated 
f«l)rttafy6. 199g  (Project  No.  7R&3006^).  The  attached  docuneot  lespoi^ 
fiiidiags,  identtfies  our  concerns,  and  explains  the  levitioos  we  believe  are  neoesxaiy  so  that  the 
final  report  wilt  accurately  reflect  the  Defense  Civilian  Personnel  Data  System  program 
tnfonnatioo.  We  appreciate  your  consideration  of  our  comments. 


Eart  T.  Payne  ^ 


Aaschment: 
As  stated 
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Final  Report 
Reference 


Faarttiwal  MwnyMtit  Bcipoaf 

Dnn  PrapoMd  Aiidft  Bi^ort  M  Infenn^^ 

Fiir  the  DcfcMC  QyIUmi  taMQnd  Dftta  Syitem  (IKTOS)^ 
DoD  IG  Pnject  No.  7R&300M2 


AUDIT  BACKGROUND 

DcrcwCa▼lll«Dl^erMlmMlDot■S3f<ttm(jpo^  ^Tbe  Mease  Civiliao  Revised 

Penoimd  Djoo  System  (IX^DS)  wiU  pfovide  ■  icamleu  MiUNiuled  iarocniKi^ 

dviliao  penofmel  policy  ections  and  penoimel  deciiions  duriof  peacetime,  cootingendes,  and 
waiting.  The  DCPDS  will  support  Militaiy  Departmenu  and  Defense  agencies  woridwide  and 

will  bcuaed  by  pcnooncl  ofliciaU,  employees,  managets.  and  seoior  kaderriiip  at  all  tevcisof  Revised 

DoD  operatioiis.  Ilk  DC7D5  lesldet  oo  a  snabfraoMS  omifiiaer  aid  has  (q>  m  tfaiee  sqwraie 

daiabaaei  at  Military  Depactmem  or  l^fenae  agency  leveh  to  support  civiliin  penoimel 

opcfatioos.  The  DCTOS  databases  am  maintained  at  the  Air  Force  Monnadw  Processing 

Activity  located  at  Randolph  Air  Force  Base,  San  Antoiuo.  Texas.  The  DCPDS  will  store. 

pioceas,  and  transmit  data  for  750,000  persoonel  records,  of  which  209/X)0  belong  to  the  Navy 

and  Marine  Corps  and  are  subject  to  the  Privacy  Ad  of  1974and  the  Freedom  of  iofonnation 

Act  I^  security  puipoaes,  the  DCPDS  datt  re  Ubeled**ieiisitive4Nit>iBicUasified.’* 

Reapoiiac;  The  proposed  language  may  confuse  leaders  since  it  does  not  dtstinguish  between  the 
kgacy  DCPDS  and  the  nwdern  DCPDS  itiU  under  devetopnieiit  To  avoid  confusion  we 
leoomiDend  the  substitution  of  the  foUowing  language,  wl^h  clari5es  die  distuictioa  between 
drekgacy  DCPDS  and  the  modern  DCPZ>S.  Also,  the  proposed  language  coriecu  a  technical 
error,  in  that,  the  legacy  DCPDS  mainframes  that  support  DoD  MUitary  Services  and  Federal 
Agenctet  (odier  than  an  Air  Force  prmion)  are  not  located  at  Randolph  AFB.  Texas. 

^T>efctisc  Civilian  Feraonnai  Data  Systesn.  The  legacy  Defense  Civilian  Fenonnel  Datt 
System  (DCPDS)  is  an  automated  infonnation  system  that  is  the  standard  DoD  civilian  peisonnel 
system.  The  legacy  DCPDS  is  used  to  document  and  store  dvUianpenoiiiiel  actions  for  the 
Department's  employees.  The  system  processes  sensitive-but-unclaisified  personnel 
infonnation.  The  legacy  DCPDS  resides  oo  a  mainframe  computer  and  has  aepsrate  dafahairt  at 
Military  Depaftmem  or  Defense  agen^  levels  to  ti^poct  civilian  personnel  operdions.  The  • 
tegacy  DCTPSdatabasrs  are  inainudned  at  the  Defied  Infonnation  Systems  Agency  Defense 
Megacenter.  San  Antonio,  located  at  Kelly  AFB,  Texas.  DCPDS  stores,  processes  and  nansmits 
data  for  750,000  personnel  records,  of  which  209,000  belong  to  the  Navy  and  Marine  Coqis  and 
are  subject  to  the  Privacy  Act  of  1974  and  the  Freedom  of  Infortnation  Act. 

To  support  die  regionalization  of  civilian  pesionnel  aendoe  deli  vtiy.  the  Department  developed  a 
suite  of  software  qylications  called  Pemomicl  Process  Improvements  (PPli)  that  operate  in 
coiyunctioa  with  data  from  the  legacy  DCPDS  in  aclknt-server  environment  The  PPI  Suite 
provides  an  efectronic  means  to  generate,  route,  and  process  personnel  actions;  create  and 
classify  positions;  inttiaie,  route,  and  track  training  requests;  and  access  the  personnel  database 
and  assodaied  data  from  other  functional  areas. 
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Final  Rq)OTt 
Reference 


Revised 


Revised 


The  DqMitmeiitb  DOW  io  the  process  of  developing  tmodefnDCPDS.  The  funcdociaility  of  the 

m  Suite  wm  be  tnchided  in  Che  xnodeni  1X31^  IlieiiiodemIXTDS  wiilpmWdeeaetfiileu 

auconuDed  iDfocmiCioo  system  chit  wiU  support  persofuiel  polk:y  acUoos 

during  peaceCime,  contingencies,  and  waitime.  The  modem  DCPOS  will  support  Compooentt 

worldwide.’' 

TheNnvyiUfioiisCfMpmgraph^  nhe  IX:PD5  wiU  caabk  the  Mmiaiy  Departing 
the  Defense  agencies  to  process,  store,  and  transmit  civilian  personnel  records  on  databases  at  23 
regional  service  centers." 

Regpotiae;  There  are  22  vegiooal  service  centers  under  the  cunent  program.  The  Defense 
Mapping  Agency  regional  service  center,  which  achieved  hiU  opending  capability  in  FV 1995. 
was  realigned  under  the  Nadooal  Imagery  and  Mapping  Agency  (NIMA).  Due  to  its  change  in 
security  classification  status  NIMA  is  no  longer  counted  as  part  of  the  regionalization  program. 
Recommend  the  sentence  be  changed  to  read  as  follows; 

*The  modem  DCPDS  wtU  enable  the  Military  Departments  and  the  Defense  agencies  to  process, 
store,  and  transmit  civilian  persoooe]  records  on  databases  at  22  regional  service  centers." 

The  Navy  Reghms  (paragraph  2).  "AddiUoiislly,  the  Navy  DO^  database  interfaces  with 

other  DoD  and  Federal  functional  databases;  for  example,  payroll  and  the  Ofihoe  of  Management 

and  Budget" 

Resoonaet  Tire  Navy  DCTDS  does  not  have  an  interface  with  the  Office  of  Management  and 
Budget.  The  Navy  DCPDS  does  provide  data  to  lire  Headquaners  Navy  System,  which,  in  turn, 
produces  a  cape  to  be  seat  to  tire  Office  of  Penonnel  Managenreot  to  update  the  Central 
Personnel  Dau  File.  Recommend  that  this  sentence  be  revised  to  read: 

^Additionally,  the  Navy  DCPDS  daubase  feeds  dau  to  other  DoD  databases,  for  ezample 
Defense  Civilian  Payroll  System  and  the  Head(|uarten  Navy  System." 

INFORMATION  ASSURANCE  PROGRAM: 

Plage  5,  paragraph  2.  *THirtlrer,  dre  DCPDS  furretknud  and  acquisition  program  rnanagers  did 
not  coordinate  with  Navy  about  their  respective  security  management  ides  and  rttpooiibililies 
for  the  DCPDS  information  assiinnoe  program." 

Coonfiaatfoo  with  DoD  Conpoaenfs  (page  10,  paragrapli  6%.  The  DCPDS  fonctional  and 
acquisition  project  inaiuigers  did  not  coordinate  with  die  Navy  in  their  respective  aecuricy 
management  ides  and  responsibUities  for  the  DCPDS  information  assumoe  program." 

Co<«TllaatioowithIfoDCointKm»nt«(patal1,paragriqih4^  Xooidination  of  DCPDS 
security  issues  is  impoitint  to  provide  consistency  among  all  DoD  Components  operating 
DCPDS.  The  lack  of  coordination  is  causing  DoD  Componentt  to  take  their  own  approaches  to 
security;  that  U,  drey  are  iodependemly  developing  their  own  measures  to  deal  with  DCPDS 
vulnerabilities." 
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Theap  dHW  ttitancots  do  not  accioifedy  itfloct  the  iwri:  Alt  hat  beta  aooooipl^^ 
lanedoiud  and  aoquiiition  pcogirwi  minagen  with  fcivdalo 
DCPDSiiifofmatfamaMtin^  TlielqpcyDCFDS  wMdca^gn0d.dpvelopod.aiidl^^ 
aaanAirFompCfSODiidiyttemintfaeinid>1970a.  When  the  ASD(C3I)  ikrignatnd  the  kgacy 
ix:ros  Mtheinkrim  atandacdsyitefflia  1991,dK  fbnctkxiilaiidaGquUidoapf^^ 
iKd  irrf  nifflfify  tH*  mtgn,  wapniMawIitiM,  mad  ptocaaaea. 

llie  Centnl  Dei^  Acdvhy  (CDA)  k>calcd  at  die  Ak  Fane  Penoinel  Ceite 
AITI.TfXMhifWK^«^*mftd«rfthtlMirjmpoagtrttcQiMendngd>eaec^ 

leipoiw^ilitkiibr  the  PPl  Suite  uaed  in  Gcadunc^  TbeCDAalao 

provided  the  Component  ayitemi  adhninUtndori  widi  tiaimng  and  manuala  that  cover  ptaedeea 
and  pcooeducca  for  graotingiooesa  to  the  PPI  Suite.  OnFehniary  12»  1997»dieCDApi<ovided 
CoaqpoMQtqfalnnaadmuiiatxatofiaaofiwaitieleaaeamiaiin^^  This 

icSeaae  imptocoted  the  fim  scripts  to  configure  aerveiB  Hid  woriortadoiia  in  aoc^^ 
ealabiisbedaecuri^  policy.  11k  CDAfXOvid^  another  rdeaseannotinDeoientfer  the  PPI 
VeraioQ  5.0  in  June  1997.  This  aanouneeinett  described  dKaci^  and  actions 
operate  die  system  aodh  log  leature. 

As  previously  stmed,  dte  Depaitmem  is  ocm  in  the  process  of  devrioptog  dK  inodem  DCPDS. 
Ihefimcdon^ityofdie  PPI  Suite  will  be  included  India  modem  system.  ReoeDtly,a 
eooidiiiated  modem  DCFDS  policy  and  securi^  support  |dan  was  piibUriied.  This  document 
clearly  defines  die  R^wetive  security  minsgemeat  roles  and  reiponsibUltks  for  die  modem 

DCPDS. 

CPMS,  in  coqjunclioa  with  the  CDA  security  stafi;  is  devdoping  a  System  Security  Annex  to  die 
Training  Support  Plan  (TSP).  Tbs  Annex  wdl  be  provided  to  Con^xmenta,  in  order  to  j^aii, 
develop,  and  execute  traixusg  strategies  f<»  finicd^  and  technical  peraomiel  tnvtdvod  in  the 
operatioasofdKmodemDCPDS.  11teAi»exalaoooiitaiittdtelmowledge,aldlbanda^^ 
and  tndmngrequiicroente  for  nctwrdciccuritypcrsoond.  system  adminialraiora,dteabase 
administrators,  mlbiinatfon  system  security  officers,  and  users  at  all  opersdooaikvds.  The 
Annex  will  be  completed  by  April  30, 199S. 


Added 


Added 
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